Viewing Options

Instant messaging and peer-to-peer applications are two of the most widely used applications on the Internet. Most organizations view these applications as frivolous ways to consume expensive resources, including employee time and network bandwidth. Furthermore, instant messaging and peer-to-peer networks can act as a conduit for malicious threats such as worms, offering an easy path around firewalls and causing concerns about privacy and security.

Application inspection and control varies in capability per service. For example, HTTP application inspection offers granular filtering on several types of application activity, including the ability to limit transfer size, web address lengths, and browser activity to enforce compliance with application-behavior standards and to limit the types of content that are transferred over the service. On the other hand, instant messaging and peer-to-peer application inspection offers granular application control on specific activities in the various protocols, so that certain application activities are allowed while others are denied. These instant messaging and peer-to-peer application activities include text chat, file search, file transfer, voice, and video.

Application inspection class maps allow you to identify traffic based on the attributes of a given protocol. All the match conditions in these class maps are specific to an application (for example, HTTP or Yahoo! Messenger). Application inspection class maps are identified by an additional subtype that generally is the protocol name (for instance, HTTP or YMSGR) in addition to the type
inspect.

Application inspection policy maps are used to specify a policy for an application protocol. For example, if you want to drop HTTP traffic with URI lengths exceeding 256 bytes, you must configure an HTTP policy map to do that. Application inspection policy maps cannot be attached directly to a zone-pair. They must be configured as "child" policies in a top-level Layer 3 or Layer 4 policy map. For more information, please consult:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html - wp1054769

Instant messaging and peer-to-peer traffic generally offer two modes of operation: a native mode, where the application runs on a uniquely defined set of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports, and "HTTP cloaked" mode, in which the application masquerades as HTTP (TCP port 80) traffic in order to gain passage through firewalls and other network policy controls. Some of the more advanced instant messaging and peer-to-peer applications implement sufficient RFC 2616 dialogue to appear as a legitimate conversation between a web browser and a web server.

Cisco IOS Zone-Based Policy Firewall provides both Layer 4 inspection to permit or deny instant messaging and peer-to-peer traffic and Layer 7 granular application control on specific instant messaging and peer-to-peer activities. The instant messaging and peer-to-peer applications can be individually denied or permitted. Each application may be individually controlled so that text chat service is allowed, and voice, file transfer, video, and other services are restricted. This functionality allows organizations to control instant messaging and peer-to-peer traffic that operates in HTTP cloaked mode and is disguised as HTTP (web) traffic.

Example Network

We will examine a simple network to build an example of using Cisco IOS Zone-Based Policy Firewall to control
peer-to-peer and instant messaging traffic, and block cloaked applications that try to exploit TCP port 80 to gain access though the firewall (Figure 1). Our sample network consists of a private network, connected to the public Internet through a Cisco router using Zone-Based Policy Firewall.

Figure 1. Example Network Using Cisco IOS Zoned-Based Policy Firewall

The example network denies any traffic initiated from the public Internet to the private network, and allows the following traffic from the private network to the public Internet: Domain Name System (DNS) lookup, Simple Mail Transfer Protocol (SMTP), Post Office Protocol Version 3 (POP3), HTTP/HTTPS, Network Time Protocol (NTP), File Transfer Protocol (FTP), Internet Control Message Protocol (ICMP), any services provided in Yahoo! Messenger, and only text-chat in eDonkey. Furthermore, application inspection is applied on HTTP connections to help ensure that supported instant messaging and peer-to-peer applications are not carried on TCP port 80 (HTTP).

Configuring Firewall Policy to Control Instant Messaging and Peer-to-Peer Traffic

The private to public policy applies Layer 4 inspection to DNS, SMTP, POP3, HTTP/HTTPS, NTP, FTP, ICMP, Yahoo! Messenger, and eDonkey passing from the private zone to the public zone. This allows connections from the private zone to the public zone, as well as return traffic.

Layer 7 inspection (application inspection and control) policy is applied to control specific services within instant messaging and peer-to-peer applications, and unwanted use of HTTP's service port for other applications such as instant messaging, peer-to-peer, and tunneling applications that can redirect otherwise firewalled applications through TCP port 80 (HTTP).

To configure firewall policy, follow these steps:

1. Write the Layer 4 class map.

Define a class map that describes the traffic permitted from private zone to the public zone. Separate Layer 4 class maps are defined for HTTP, Yahoo! Messenger, and eDonkey. This is because Layer 7 application inspection policy for these protocols needs to be applied to their respective Layer 4 policy maps. The
match protocol smtp extended command is used to inspect Extended SMTP (ESMTP) traffic.

Layer 7 HTTP application inspection and control is used to control unwanted use of the HTTP service port for other applications such as instant messaging, peer-to-peer, and tunneling applications that can redirect otherwise firewalled applications through TCP port 80 (HTTP).

When you use "protocol-violation" HTTP application inspection, the content of some websites may be blocked by this option because they may not be compliant with RFCs.